[c-nsp] NAT and hairpin's

Fawcett Simon Simon.Fawcett at uk.fujitsu.com
Thu Jul 17 06:40:11 EDT 2008


I have done this on an ASA running 7.2 code. It definitely works

What happened was the inside sever was say 10.0.0.1 with an outside
address 1.1.1.1 all client traffic by default was natted to a hide
address 2.2.2.2.

My pc therefore 

Was 10.0.0.2 heading for 1.1.1.1.  I was natted by the hide address so
my source was 2.2.2.2.

The only odd thing about it was that you then needed to permit on the
ouside interface inbound traffic from  2.2.2.2 going to 1.1.1.1 and
everything worked.

I hope this makes sense and helps someone

God bless the ASA

Simon 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Geyer, Nick
Sent: 17 July 2008 06:16
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] NAT and hairpin's

Hi Everyone,

 

Just wondering if anyone has come up with a way to hairpin traffic using
a Cisco router? The problem is as follows;

 

Say for example I have a router connecting to the Internet and an
internal LAN doing normal NA, e.g;

 

203.1.2.3 -> ROUTER <- 192.168.1.0/24 (203.1.2.3 being the public IP on
the "outside" interface)

 

I have an application that talks from clients on the Internet to an
internal server (192.168.1.1), with the appropriate static NAT's setup
on the router to forward the traffic. The problem is the internal
clients also need to talk to the server but on the public IP address
(203.1.2.3). The traffic from the internal clients will hit the router
but it wont translate and forward the traffic because its coming from
the "inside" interface (and the static NAT only works for requests from
the outside interface).

 

I don't believe it can be done but just thought I would ask in case
anyone has come up with a weird and wonderful way.

 

Cheers,

 

Nick Geyer.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list